Thursday, December 31, 2015

Joseph Menn reports on some poor decision-making
by Microsoft that left hacking victims in the dark that their
communications had been intercepted:

Microsoft Corp experts concluded several
years ago that Chinese authorities had hacked into more than a
thousand Hotmail email accounts, targeting international leaders of
China’s Tibetan and Uighur minorities in particular – but it
decided not to tell the victims, allowing the hackers to continue
their campaign, according to former employees of the company.

On Wednesday, after a series of requests
for comment from Reuters, Microsoft said it will change its policy
and in the future tell its email customers when it suspects there has
been a government hacking attempt.

The first public signal
of the attacks came in May 2011, though no direct link was
immediately made with the Chinese authorities. That's when security
firm Trend Micro Inc announced it had found an email sent to someone
in Taiwan that contained a miniature computer program.

The program took
advantage of a previously undetected flaw in Microsoft's own web
pages to direct Hotmail and other free Microsoft email services to
secretly forward copies of all of a recipient's incoming mail to an
account controlled by the attacker.

Trend Micro found more
than a thousand victims, and Microsoft patched the vulnerability
before the security company announced its findings publicly.

Google is a major player in U.S.
education. In fact, in many public schools around the country, it’s
technically a “school official.” And that designation means
parents may not get a chance to opt out of having information about
their children shared with the online advertising giant.

India just signed up its billionth mobile-phone
customer, joining China as the only countries to cross that
milestone.

Yet that 10-digit base may not be enough to keep
the industry from struggling. Asia’s third largest economy is
crowded with a dozen wireless carriers -- more than in any other
country -- spectrum is hard to come by and regulatory risks are high.
Add it all up and it’s no wonder they deliver lower profitability
than phone operators in other parts of Asia, according to Sanford C.
Bernstein & Co.

… It was not immediately clear why the program
was halted. Neither Etisalat nor Egyptian officials could
immediately be reached for comment. The program was recently
highlighted at an entrepreneurship fair in Cairo.

Facebook and other social media sites are
extremely popular in Egypt, and were used to organize protests during
the 2011 uprising that toppled longtime autocrat Hosni Mubarak.

“When you're a government you waste money. It's
what you do.” You also claim success before you do anything else.

… The largest attempt to bridge these gaps
began in 2006 under the umbrella of the Secure Border Initiative,
known as SBInet. US Customs and Border Protection (CBP)
began a project nicknamed the “virtual fence” that would link
decades-old underground sensors, radar towers, and communications
networks into an integrated invisible surveillance system.

The contract with Boeing was supposed to be
completed in two years and cost roughly $220 million. However, cost
increases, time delays, and general human incompetence caused the
virtual fence project to get pushed back to 2011 and costs to
skyrocket to almost $1 billion.

… However, after two years of searching for a
solution provider and crafting a strategy, DHS believes the current
iteration of its virtual barrier is the final answer. Arizona is
currently the test bed for the Integrated Fixed Tower
project—formally known as the Arizona Border Surveillance
Technology Plan—which aims to erect 52 sensor-laden towers along
the southwest border by the year 2020.

… Why DHS officials are so confident the
Arizona plan will work better than previous solutions is unclear, and
there are already signs of delays and management problems.

Washington
Post: “A powerful winter cyclone — the same storm that lead
to two tornado outbreaks in the United States and disastrous river
flooding — has driven the North Pole to the freezing point this
week, 50 degrees above average for this time of year. From Tuesday
evening to Wednesday morning, a mind-boggling pressure drop was
recorded in Iceland: 54
millibars in just 18 hours. This triples the criteria for
“bomb” cyclogenesis, which meteorologists use to describe a
rapidly intensifying mid-latitude storm. A “bomb” cyclone is
defined as dropping one millibar per hour for 24 hours. NOAA’s
Ocean Prediction Center said the storm’s minimum pressure dropped
to 928 millibars around 1 a.m. Eastern time, which likely places it
in the top five strongest storms on record in this region…”

… The extramarital affair website Ashley
Madison says it has gained nearly 4.6 million members since hackers
posted the names of the website's users in August. A counter on the
site's front page claimed more than 43.4 million “anonymous
members” Tuesday — up from about 38.9 million Aug. 18, the day
hackers posted users' private information online.

I thought Microsoft and others wanted to get out
of the “We can decrypt it” boondoggle?

ONE OF THE EXCELLENT FEATURES of new
Windows devices is that disk
encryption is built-in and turned on by default, protecting your
data in case your device is lost or stolen. But what is less
well-known is that, if you are like most users and login to Windows
10 using your Microsoft account, your computer automatically uploaded
a copy of your recovery key — which can be used to unlock your
encrypted disk — to Microsoft’s servers, probably without your
knowledge and without an option to opt out.

What did they know that we didn't know? What did
we know that we were worried they might know? Did they have a better
argument than we did? Did they have fact that we didn't? (Should I
believe that Israeli security is so poor their Prime Minister does
not use an encrypted phone?)

The U.S. captured communications from Israeli
Prime Minister Benjamin Netanyahu and his aides and swept up the
content of private conversations with U.S. lawmakers, giving the
Obama administration insight into Israel's lobbying efforts against
the international nuclear deal with Iran, according to a new report.

The
Wall Street Journal reported Tuesday that the National Security
Agency (NSA) swept up information that White House officials
considered valuable as it sought to counter Netanyahu's vocal
opposition to the nuclear deal between Iran, the U.S. and other world
leaders.

… The Journal also reported that White House
officials were worried about the politics of asking for swept-up
communications between Israeli officials and members of Congress,
allowing the NSA to decide what to share.

"The updated language emphasizes that Twitter
will not tolerate behavior intended to harass, intimidate, or use
fear to silence another user's voice," Megan Cristina, the
company's director of trust and safety, wrote in a blog post. "As
always, we embrace and encourage diverse opinions and beliefs — but
we will continue to take action on accounts that cross the line into
abuse." That sounded like a good thing, but when I pulled up
Twitter's new
rules, they looked an awful lot like Twitter's
old rules.

The one significant addition is a new section that
bans "hateful conduct" that targets users on the basis of
their race, nationality, sexual orientation, gender, gender identity,
age, disability, or disease. The rule also bans creating multiple
accounts for the primary purpose of inciting harm toward others based
on those categories. At the same time, the old harassment rules
likely prevented this sort of behavior as well.

The truth is that updated rules are meaningless
unless the company strictly enforces them.

At our Enterprise Information and Master Data
Management Summit this year (back in the Spring) we mentioned, as
part of the keynote, the phrase, “from information asset to
information access”. See Information
is the new source of economic value, May 2015. This perhaps
innocuous phrase captures a significant part of the message from the
keynote: the digital, now algorithm economy, will herald significant
economic shifts.

Amazon is
about to go head-to-head with Britain's struggling supermarkets

… The news that Amazon is to ramp up its
grocery delivery business will come as a blow to the “big four”
supermarket chains – Tesco, Asda, Sainsbury’s and Morrisons –
which are already under pressure as a result of changing
shopping habits. Large grocers have been battling falling sales
as households abandon the
weekly shop in favour of discount supermarkets, regular local
top-up shopping and online ordering.

“The British
Museum’s remarkable collection spans over two million years of
human history and culture. Over 6 million visitors every year
experience the collection, including world-famous objects such as
the Rosetta Stone, the Parthenon sculptures, and Egyptian mummies.”

The Transportation Security Administration is
increasing random checks of airport and airline employees who hold
badges that enable them to bypass security checkpoints.

The decision follows instances in the past two
years in which employees used restricted entrances to
smuggle guns and launder money.

… The American memo, for instance, reminded
employees that if they work in a secure area and plan to travel after
their shift is over, they must exit the sterile area and go through
TSA screening, with their carry-on luggage, in order to board a
flight.

How does
the Cybersecurity Act of 2015 change the Internet surveillance laws?

The Omnibus
Appropriations Act that President
Obama signed into law last week has a provision called the
Cybersecurity Act of 2015. The Cyber Act, as I’ll call it,
includes sections about Internet monitoring that modify the Internet
surveillance laws. This post details those changes, focusing on how
the act broadens powers of network operators to conduct surveillance
for cybersecurity purposes. The upshot: The Cyber Act expands those
powers in significant ways, although how far isn’t entirely clear.

For students studying Homeland Security and
searching for all those keywords on the DHS watch list.

Enter StartPage,
a search engine that makes Google searches private. When you type
your query, StartPage anonymously submits it to Google and displays
the results back to you. By adding this middle man, your privacy is
protected since Google is not placing tracking cookies on your
browser or logging your IP address to associate you with those
searches.

China doesn't allow Facebook. Just because India
does, that doesn't mean the country should welcome Facebook CEO Mark
Zuckerberg's plan to carve the Internet into pocket boroughs, let
alone his preaching that this is a great way to connect a billion
people to their digital future.

Facebook's "Free Basics" service, which
gave some wireless subscribers in India access to a clutch
of pre-selected websites without having to pay data charges, was
put in abeyance
recently at the request of the Telecom Regulatory Authority of
India. Activists say the program threatens net neutrality, the
principle that all Internet sites should be equally accessible. The
regulator is yet to decide whether a differential pricing regime for
some websites or applications will be allowed.

The retail chain started a new trade-in program
last month that allows customers to exchange various store gift cards
for a Target gift card, usually at a de-valued rate. For example, if
a customer wanted to trade a $100 Walmart gift card, he or she could
get a $85 Target card in exchange.

… The process works much like existing gift
card exchange websites, including CardPool.com and CardCash.com. In
fact, a shopper could get an even better deal for that $100 Walmart
gift card on CardPool.com, which is a partner with Target. Based on
what Fortune found on December 28, the store credit would
amount to $93, delivered via check from CardPool.

However, Target’s program is all about
convenience. The trade is instantaneous, and a customer can walk
away immediately with their Target card in-hand.

… While it might seem like something straight
out of a James Bond movie, it is possible to use your smartphone to
detect hidden cameras, as
well as other 007 devices. In general, two common methods are
used to achieve this.

The first is by using the smartphone hardware to
detect electromagnetic
fields. With the installation of a single app, you can move your
phone around the area you suspect a camera to be hidden, and if a
strong field is detected, you can be sure there is a camera secreted
within the wall or object.

Another way that smartphones can be used is by
detecting light reflecting from a lens. While this method isn’t
quite as reliable, it is still worth having such an app, if only to
find small objects dropped on a carpet!

… Archiving and backing up emails is simply a
matter of setting up Outlook to archive old emails to a special file,
and then setting up a schedule to archive those files to some safe
location for long-term storage. In this article you’ll see just how
simple this process is.

Open data has contributed to dramatic improvements
in a wide array of fields over the past few decades, affecting how we
look at astronomy, genetics,
climate change,
sportsand
more. But until recently, crime has gone without the open
analysis prevalent in other fields because crime data has been
closely held by law enforcement agencies and has usually only been
released in bulk at monthly, quarterly or annual intervals.

Now, thanks to efforts from the federal government
and individual municipalities, crime analysis is positioned for a
leap forward as cities place unprecedented quantities of data online.

… Born out of recommendations
from President Obama’s Task Force on 21st Century Policing, the
initiative was launched
in May to encourage police departments to “better use data and
technology to build community trust.” As of late November, 27
agencies had committed to providing public access to law
enforcement data as part of the initiative.

– Personal, public, and some
non-public information on 191 million registered voters exposed–
Efforts to identify database’s owner to notify them unsuccessful–
Database still exposed

A
misconfigured database leaking the personal information of over 191
million voters was reported to DataBreaches.net by researcher Chris
Vickery. This report includes some of the results of an
investigation by Vickery, DataBreaches.net, and Steve Ragan of Salted
Hash.

“The Dissent project is a research
collaboration between Yale
University and UT
Austin to create a powerful, practical anonymous group
communication system offering strong, provable security guarantees
with reasonable efficiency. Dissent’s technical approach differs
in two fundamental ways from the traditional relay-based approaches
used by systems such as Tor:

Dissent seeks to offer accountable
anonymity, giving users strong guarantees of anonymity while
also protecting online groups or forums from anonymous abuse such as
spam, Sybil
attacks, and sockpuppetry.
Unlike other systems, Dissent can guarantee that each user of an
online forum gets exactly one bandwidth share, one vote, or
one pseudonym, which other users can block in the event of
misbehavior.

Dissent offers group-oriented anonymous
communication best suited for broadcast communication: for example,
bulletin boards, wikis, auctions, or voting. Members of a group
obtain cryptographic guarantees of sender and receiver anonymity,
message integrity, disruption resistance, proportionality, and
location hiding. For a high-level overview of Dissent and where it
fits among various approaches to anonymous communication, see our
article Seeking
Anonymity in an Internet Panopticon, to appear in Communications
of the ACM. For technical details we recommend starting with our
CCS
’10, OSDI
’12, and USENIX
Security ’13 papers describing the experimental protocols
underlying Dissent. Also feel free to check out the source code at
the link to the right, keeping in mind that it is an experimental
prototype and not yet ready for widespread deployment by
normal users.”

The goal of a totalitarian regime is to control
everything in a country: information, resources, and power. In the
21st century, that even includes omnipotence over the code that the
country's computers use.

Enter RedStar OS: North Korea's own Linux based
operating system, designed to monitor its users and remain resilient
to any attempts to modify or otherwise exert control over it. On
Sunday at Chaos Communication Congress, a security, art, and politics
conference held annually in Hamburg, Germany, researchers Niklaus
Schiess and Florian Grunow presented
their in-depth investigation of the third version of the
operating system.

… whenever a USB storage device containing
documents, photos or videos is inserted into a RedStar computer, the
operating system takes the current hard-disk's serial number,
encrypts that number, and then writes that encrypted serial into the
file, marking it.

The purpose “is to track who actually has this
file, who created this file, and who opened this file,” Schiess
said.

… The Prime service, an offering combining
free two-day shipping on many items with access to video streaming,
had a "record-setting" holiday, an Amazon press release
said. More than 3 million members joined the service in the third
week of December, bringing its total membership to "tens of
millions," it said.

… Amazon also highlighted Monday that 200
million more items received free shipping this year, reaching a
record. It added that holiday viewing hours of its Prime service's
video-streaming doubled from a year earlier and music streaming
globally rose 350 percent on the year.

… Earlier this month, Macquarie Capital
analyst Ben Schachter told CNBC that his company estimated that
around 25 percent of U.S.
homes had already signed up for the Prime service.
Macquarie estimates that by year-end, Amazon will capture 51 percent
of U.S. e-commerce growth and 24 percent of retail growth.

The company can have a huge influence over online
shopping in general. Earlier this month, the latest CNBC All-America
Economic Survey found that 40 percent of all adults search Amazon
"always" or "most of the time" when shopping
online, compared to just 10 percent who say they never include Amazon
in an online search.

Other figures from the survey were more striking:
The conversion rate, or the number of visits to the website that
result in a purchase, is massive. Some
50 percent of those Americans searching Amazon most frequently are
actually making a purchase. That compares with the widely
cited retail industry average for turning online searches into
purchases at a mere 3 percent.

Via LLRX.com
– Competitive
Intelligence – A Selective Resource Guide. Sabrina
I. Pacifici’s comprehensive current awareness guide focuses on
leveraging a selected but wide range of reliable, topical,
predominantly free websites and resources. The goal is to support an
effective research process to search, discover, access, monitor,
analyze and review current and historical data, news, reports,
statistics and profiles on companies, markets, countries, people and
issues, from a national and a global perspective. Sabrina’s guide
is a “best of the Web”
resource that encompasses search engines, portals, government
sponsored open source databases, alerts, data archives, publisher
specific services and applications. All of her
recommendations are accompanied by links to trusted content targeted
sources that are produced by top media and publishing companies,
business, government, academe, IGOs and NGOs.

… Back in the summer of 2013, it was not hard,
even for Mr. Alford, to understand why it took him time to win over
the others on the case.

… Mr. Alford also detected the sort of
organizational frictions that have hindered communication between law
enforcement agencies in the past.

… “I’m not high-tech, but I’m like,
‘This isn’t that complicated. This is just some guy behind a
computer,’” he recalled saying to himself. “In these technical
investigations, people
think they are too good to do the stupid old-school stuff. But I’m
like, ‘Well, that stuff still works.’ ”

Mr.
Alford’s preferred tool was Google. He used the
advanced search option to look for material posted within specific
date ranges.

Saturday, December 26, 2015

Should we assume that TSA has discovered a major
flaw in their pat-down procedure? Perhaps they are merely trying to
justify spending all that money on a technology that wasn't being
used? (Yeah, you challenge them. I'm walking.)

Passengers required by the Transportation Security
Administration (TSA) to submit to a body scan can legally refuse,
according to Marc Rotenberg, President of the Electronic Privacy
Information Center (EPIC).

… On Friday, without notice, the
Transportation Security Authority (TSA) implemented new procedures
for airport security screening. TSA had been, until Friday, using a
screening procedure that consisted of either an AIT body scan or a
pat-down scan, at the passenger’s option. The legality
(that is, constitutionality) of the security procedure encompassing a
passenger’s option to choose an AIT scan or a pat-down scan was
affirmed by the D.C. Court of Appeals in 2012, in the EPIC v DHS
case mentioned above.

… What is different in the new security
procedures is that TSA made the body scans mandatory for some people

… Class Central has released its report
on 2015 MOOC enrollment: “The MOOC space essentially doubled this
year. More people signed up for MOOCs in 2015 than they did in the
first three years of the modern MOOC space’s existence.”

… Via
Boing Boing: “In Texas, a 12 year old Sikh boy was arrested for
‘terrorism’ over a solar charger.”

Friday, December 25, 2015

Ten months after a major hack into taxpayer
information at the IRS, the Treasury Inspector General for Tax
Administration says the IRS is still working on bolstering its
Internet sign-in procedures.

Initially the IRS had said last May that more than
100,000 taxpayer records had been stolen. But then in August it
tripled that estimate to 334,000.
The IRS says hackers had made an estimated 615,000 attempts to break
in, for a success rate of more than 50%.

… The IRS moved to close the gaps in this
application starting last spring, and is now trying to come up with
more secure sign-on procedures for taxpayers so they can access their
tax information, says the new
watchdog report.

The watchdog’s findings come as more
than eight out of ten taxpayers use websites to get information about
their tax payments, the IRS says.[Sounds
high to me. Bob]

The Office of the Director of National
Intelligence (DNI) released a handful of sensitive documents Thursday
morning dealing with terrorism suspect Anwar al-Awlaki and the
terrorist attacks in Benghazi, Libya.

The Christmas Eve document dump includes 16
pages of heavily blacked-out emails about the events surrounding
the 2012 terrorist attack on a U.S. diplomatic compound in Benghazi
that killed four Americans.

… The
documents were released as part of a “proactive
disclosure” under the Freedom of Information Act. The
government and public relations firms have been known to release
unflattering information around major holidays or weekends to blunt
the news effect.

Sometimes words in an article just jump out at me.
I wonder what other hacks are possible?

… Among the new safety features for the 2016
BMW 7 Series is an update to the adaptive cruise control designed to
help drivers stick to posted speed limits. Using data from the
navigation system and cameras
that read traffic signs, the car prompts the driver when
the speed limit is about to change.

… Speedy drivers can preselect by how much
they’d like the system to automatically
exceed the speed limit, up to 15 km/h (9.3 mph) over.

Hyatt’s notice
to customers has very few details about the investigation, such
as how long the breach lasted or how many consumers may have had
their card data stolen as a result. Hyatt did say that it has taken
steps to strengthen its systems, and that “customers can feel
confident using payment cards at Hyatt hotels worldwide.”

Yesterday morning, some of were following up on a
ProPublica
report about a New Jersey clinic who, when suing patients for
overdue accounts, included their diagnostic codes in materials sent
to their collection agency. Those records – containing the
patients’ names, diagnostic codes, and treatment codes – became
part of public court records.

There were some interesting questions raised by
the case. The Short Hills Associates in Clinical Psychology provides
its patients with its notice of privacy practices, but when an
aggrieved patient filed a complaint with HHS over the disclosure of
his diagnostic code, OCR closed the case without action because
the clinic – using paper records for transactions – was not a
HIPAA-covered entity.

But what about the collection agency? If the
clinic was not a HIPAA-covered entity, was the collection then not a
Business Associate under HIPAA? At first blush, it might seem
unreasonable to think that they could still be a business associate
and subject to HIPAA’s restrictions on only disclosing what is
necessary to obtain payment.

But Texas attorney Jeff Drummond raised some very
interesting points in our discussion, including one that if
the collection agency was a BA for any other entity, then they might
be covered by HIPAA to protect all clients’ patient records.

Jeff has blogged about the issues raised by this
case on HIPAA
Blog. It’s a post – and interpretation of HIPAA – that I
found surprising, to say the least. I would love to see a panel
discuss this issue at a conference. In the meantime, I may shoot a
link to it over to HHS to ask for their reaction.

In the meantime, go read Jeff’s post.

Is the FAA encouraging more restrictions or
looking for better wording?

December 17, 2015 – “The Federal Aviation
Administration’s (FAA) new
fact sheet on state and local regulation of unmanned aircraft systems
(UAS) provides information for states and municipalities considering
laws or regulations addressing UAS use. The document outlines FAA’s
safety reasons for federal oversight of aviation and airspace, and
explains federal responsibility in this area. The fact sheet
provides examples of state
and local laws affecting UAS for which consultation with
the FAA is recommended, such as restrictions on flight altitude or
flight paths, regulation of the navigable airspace, and mandating
UAS-specific equipment or training. The fact sheet also gives
examples of UAS laws likely to fall within state and local government
authority, such as requirements for police to obtain a warrant prior
to using UAS for surveillance; prohibitions on the use of UAS for
voyeurism; exclusions on using UAS for hunting or fishing, or
harassing individuals engaged in those activities; and prohibitions
on attaching firearms or other weapons to a UAS.”

So you don't have to get x-rayed, unless you do.
Can you then opt-out? Probably not.

… Now the Advanced Imaging Technologies (AIT)
using Automatic Target Recognition (ATR) will be mandatory in certain
cases. Slashgear
notes that prior to this the scanners were opt-in, and one could
go through a contactless, non-imaging scan instead. That option will
exist, but security agents
can insist on mandatory screening "for some passengers."The
argument the DHS gives (PDF) is that these scanners are more
capable of detecting prohibited, non-metallic items that could
be hidden under a few layers of clothing than a metal detector
wand would be.

LexisNexis Business of Law Blog: “White papers
are a place for deep thinking – deep thinking that is data-driven.
Combine that data with innumerable client engagements, from small law
firms to large – and from corporate legal departments to legal
services bureaus – and we’re able to chronicle insights for the
market in neatly packaged white papers. As part of our 2015
roundup series, here’s
an at-a-glance listing of many of the white papers we’ve publish
this year.”

NEW DELHI: Social media giant Facebook has started
an aggressive campaign in India to gather public support for its free
internet platform 'Free Basics.'

… The Telecom Regulatory Authority of India
(Trai) has asked RCom to keep the service in abeyance till there is a
decision on its consultation process around differential pricing of
data by operators is sorted out. The last date for public comments
on Trai's paper is December 30.

… The regulator has received close to 5.7 lakh
[570,000 Bob]
comments out which over 5.5 lakh comments are through Facebook's
campaign.

I will not use this line on my students. I will
not use this line on my students. I will not use this line on my
students.

The Department of Homeland Security has arrested
and charged (PDF)
a man from the Bahamas for stealing unreleased movie/TV scripts along
with celebrities' files and sensitive information. According to The
New York Times, the 23-year-old hacker named Alonzo Knowles
contacted a radio host in an effort to sell his loot, which included
the scripts for six episodes of a hit drama currently being filmed.
When the unnamed host got in touch with Homeland Security, the agency
cooked up a sting operation and had him put Knowles in touch with an
undercover investigator posing as a buyer.

… The accused allegedly tried to sell the
agent 15 scripts
and the social security numbers of two athletes and a movie actress
for $80,000. He also showed the agent a sex tape, saying that it's
merely a "sample of things [he] can get" -- he had "more
stuff along these lines and can get more" if the buyer was
interested.

… He reportedly admitted to the undercover
agent that when it was too
difficult to hack a particular celebrity, he would look at pictures
online to see who his friends are and then hack them instead.
He'd also send fake automated text messages telling recipients that
their accounts had been hacked, and some people actually replied with
their passwords. Other times, he'd send a virus to celebrities'
computers to infiltrate their systems.

For
three years, state Department of Corrections staff knew a
software-coding error was miscalculating prison sentences and
allowing inmates to be released early. On Tuesday, Gov.
Jay Inslee gave the damning tally: up to 3,200 prisoners set free too
soon since 2002.

The problem stemmed from “good time” credits
applied to certain prison sentences, and was
discovered, according to the Corrections Department, only
after a victim’s family alerted officials in 2012 that
they might be planning to release an offender too early. Once the
broader problem was discovered, a scheduled software fix got caught
up in repeated IT delays, yet to be explained.

“That this
problem was allowed to continue to exist for 13 years is
deeply disappointing,” Inslee said. “It is totally unacceptable,
and frankly it is maddening.”

… The governor ordered the DOC to halt all
releases of prisoners whose sentences could have been affected until
a hand calculation is done to ensure offenders are being released on
the correct date. [Why not
three years ago? Bob]

But it’s easy for infosec pros to sit
back and think, ‘Thank Gawd my company isn’t such a big fat
target.’ Instead, they should remember all of the smaller breaches
that happened this year as a lesson that corporations and government
departments aren’t the only targets. Here’s just three of them:

Read more on IT
World Canada, where Solomon actually mentions a number of
incidents, including a few you may not have heard about.

Joshua Baron, Angela O’Mahony, David Manheim,
Cynthia Dion-Schwarz: “This
report examines the feasibility for non-state actors, including
terrorist and insurgent groups, to increase their political and/or
economic power by deploying a virtual currency (VC) for use in
regular economic transactions. A VC, such as Bitcoin, is a digital
representation of value that can be transferred, stored, or traded
electronically and that is neither issued by a central bank or public
authority, nor necessarily attached to a fiat currency (dollars,
euros, etc.), but is accepted by people as a means of payment. We
addressed the following research questions from both the
technological and political-economic perspectives: (1) Why would a
non-state actor deploy a VC? That is, what political and/or economic
utility is there to gain? How might this non-state actor go about
such a deployment? What challenges would it have to overcome? (2) How
might a government or organization successfully technologically
disrupt a VC deployment by a non-state actor, and what degree of
cyber sophistication would be required? (3) What additional
capabilities become possible when the technologies underlying the
development and implementation of VCs are used for purposes broader
than currency? This report should be of interest to policymakers
interested in technology, counterterrorism, and intelligence and law
enforcement issues, as well as for VC and cybersecurity researchers.”

To steal a line from Jaws, “We're gonna need a
bigger jail!” (This guy makes me look anorexic.) But wait! The
fun is not over yet!

Internet entrepreneur Kim
Dotcom and three co-defendants are eligible to be extradited to
the U.S. to face charges including criminal copyright infringement,
money laundering and conspiracy to commit racketeering, a New Zealand
court ruled on Wednesday.

… His New Zealand-based lawyer Ron Mansfield
told The Wall Street Journal that Mr. Dotcom is positive he can
succeed in the higher courts in New Zealand. “We’ve just got
through the starter’s gates, we haven’t lost the race. We remain
pretty confident.”

… Cybersecurity insurance is one of the
fastest growing sectors in the insurance market, according to the PwC
Global State of Information Security Survey 2016. A recent PwC
report forecasts that the global cyberinsurance market will reach
$7.5
billion in annual sales by 2020, up from $2.5 billion this year.

A rite of passage for new parents is
child-proofing—securing the home from threats to children. Most
experts on the subject highly recommend that parents make their way
around the house on their hands and knees in order to experience the
environment from a child’s perspective. This may be the
only way to see the threats that aren’t obvious from an adult’s
point of view.

The same is true when building security into an
application. Obviously, there are lists of common vulnerabilities
and other guidance in the form of best practices to consider.
However, to really protect
software you need to consider the hacker’s point of view of the
application. You need to think like a hacker, but act
like a security pro.

Betting on litigation. A new area for my
Statistics students to ponder?

Caterpillar
ordered to pay $73.6M to tiny British firm for stealing design

A federal jury has ordered Peoria-based
Caterpillar to pay a small British firm $73.6 million for ripping off
its design for a piece of heavy-duty construction equipment.

… Miller's victory was good news for Highland
Park-based Arena Consulting, which helped bankroll the suit in return
for a cut of the jury award.

So-called litigation financing is a growing but
controversial industry. Supporters say it levels the playing field,
allowing small-time litigants to have their day in court against
wealthy defendants, but critics say giving outside investors a stake
in the outcome of a case can skew the litigants' decision making.

… Some scholars argue nations must take a
rigorous approach to understanding how people become radicalized —
and, just as importantly, that religion itself is not the main
motivation.

A substantial number of radical Islamic terrorists
are recent converts who know surprisingly little about Islam, Olivier
Roy, a professor at the European University Institute in Italy and
well-known analyst of Islamist terrorism, said in a recent lecture,
where he attempted to lay out “a scientific perspective on the
causes/circumstances” of people joining radical groups.

… No comprehensive data exists on the
militants who have joined the Islamic State and other organizations,
but Roy has analyzed individual stories of the path to radicalization
— saying that we must first understand radicalization before we can
hope to prevent or reverse it.

… 4. Most radicals are motivated by the
desire to be a hero, to do violence or get revenge.

After over a month of speculation, more details
are beginning to emerge surrounding Amazon's rumored plan to launch
an in-house freight airline. The rumor started
with someone close to the talks posting on an online forum stating
that Amazon is working to create the world's largest overnight parcel
service within 2 years. The source stated Amazon would not buy an
existing company as it did
not want to inherit the problems so instead resorted to
launching its own operation. In this article, I go into detail about
the implications of such an operation for Amazon financially,
structurally and the risks associated with such a venture.

… Amazon has been quietly
building up sorting centers across the country, replacing work
that was previously done by FedEx and UPS

Monday, December 21, 2015

Iranian hackers infiltrated the control
system of a small dam less than 20 miles from New York City two years
ago, sparking concerns that reached to the White House, according to
former and current U.S. officials and experts familiar with the
previously undisclosed incident.

“Everything is being integrated, which is great,
but it’s not very secure,” said Cesar Cerrudo, an Argentine
researcher and chief technology officer at IOActive Labs, a
security-consulting firm. At a hacker conference last year in Las
Vegas, Mr. Cerrudo wowed the audience when he showed how he could
manipulate traffic lights in major U.S. cities.

Operators of these systems “don’t think about
security,” he said.

Not just educating employees, but keeping them
alert. What would a serious hacker do?

Terrified by a string of recent hacks,
banks are spending billions of dollars trying to fend off a faceless
army of digital intruders.

But the biggest threats may come from
within.

Banks fear a growing number of employees
are unwittingly exposing valuable information to hackers or in some
cases leaving digital clues that make a breach possible. To boost
their defenses, firms are banning workers from using portable devices
such as USB drives, warning employees to be careful what they post on
social media and even discouraging
workers from posting “out-of-office” replies on their emails.

Networking
and security company Juniper Networks revealed last week that it had
identified unauthorized
code in ScreenOS, the operating system powering the company’s
NetScreen firewalls.

… The
vulnerabilities have been analyzed by several external researchers.
Fox-IT experts said it took them just 6 hours to find
the password for the ScreenOS authentication backdoor.

After
analyzing
the differences between the vulnerable and patched versions of
ScreenOS, Rapid7’s HD Moore determined that the authentication
backdoor, which can be exploited via SSH or Telnet, involves the
default password <<<
%s(un='%s') = %u

This
backdoor password, which was presumably set this way so that it would
be mistaken for one of the many debug format strings present in the
code, can be leveraged by an attacker who knows a valid username for
the device.

On
one hand, it’s difficult to say if this vulnerability has been
exploited in the wild since even though an unauthorized access
attempt would normally be logged, it’s easy for an attacker to
delete the relevant log entries. However, as Moore has highlighted,
the logs might be sent to a centralized server, which could result in
an alert being triggered.

It's not Hillary's fault. (Bet you never expected
to see those words on this Blog) No politicians understand
technology and that's Okay. Very few politicians bother to ask the
people who do know and that's the problem.

Clueless
Hillary Clinton On Encryption, Doesn't Understand The Concept Of The
'Back Door'

… On one hand, Clinton doesn't want back
doors, but on the other, she wants law enforcement to be able to gain
access to data if needed. She seals the deal with: "I just
think there's got to be a way, and I would hope our tech companies
would work with government to figure it out." Making matters
worse she ponders, "maybe the back door is the wrong door?"

Clinton went on to say that maybe we need a
"Manhattan-like project" [Because
politicians understand spending lots and lots of money Bob]
to accomplish this goal. What she doesn't seem to realize is that
what she's effectively asking for is a back door, and as soon
as any company (or person, for that matter) deliberately punches a
hole in their product's security, it's no longer secure. Period.

Over
ten million fans tried to buy tickets to Adele's North American tour

… When tickets for Adele's North American tour
went on sale Wednesday morning, the virtual box office was literally
crushed when over ten million fans rushed the site. Up for
grabs were some 750,000 tickets for her 25 album tour across
the continent.

… Just how unprecedented was the demand?
Ticketmaster says that the ten million-plus figure represents an
"all-time record," and according to Billboard's
source, over four million tried to buy tickets for the six shows in
New York City alone. Perhaps the craziness isn't so surprising
considering sales of Adele's 25, which crushed
all single-week records.

Perspective. Another of those “Year End”
articles. Some charts are interesting even to me.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.